And the need for disseminating this intelligence quickly, supported by recommended action steps, or automation where possible, is a must. Slammer had a six-month lead time, but Slammer, which affected Air Canada and the New York Times, among others, had only a 28-day lead time. It is not fear mongering to think ahead to exploits that can wreak havoc on systems that are discovered only six hours, or even 28 minutes, before the attacks ensue.
Certainly, being proactive is one of the components of the solution. Yes, we do, as an industry, need to take the time to "floss". What does that mean though, in practice? First and foremost, it means taking preventative measures that surround and support the patch management efforts.
Patches alone are not the ultimate solution. Harden servers where needed; turn off unnecessary services; build access control into the network, servers and applications themselves. For patch management, services and tools that fit into the overall system and network management solution -- not just that stay siloed in security -- work more effectively.
Part of being proactive is knowing when something doesn't need to get done and when a patch requires immediate attention. Without a view to the overall systems, this point can be blurred. For example, a production server that's accessible on the Internet may need to be patched immediately, while an internal server behind an intranet firewall and accessible only to trusted users might be able to sustain a lag time in the patch process.
Finally, as Mel Brooks said, "Hope for the best, expect the worst," and have a recovery plan in place. Sometimes reacting after the fact is essential, none of us are soothsayers, and even the most well protected and patched systems may ultimately be attacked. So be ready with a plan for when that happens; the ability to recover from a critical failure is a part of the overall security posture. The truth is that patching and protecting proactively will reduce vulnerability, but being prepared for the inevitable reactive patching and recovery is essential as well.
Part of the reason the industry is in reactive mode so much of the time is that security is not seen as critical to the overall business profitability. This is a dangerous approach and leads to vulnerability. Arguably, no business can run if it's not secure. But until upper management buys into this viewpoint, security will remain a secondary consideration.
Diana Kelley is a security technology strategist for Computer Associates International's eTrust brand.
